tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: getting mod_auth_kerb to trust a request from tomcat
Date Fri, 04 Jun 2010 18:59:06 GMT
You may want to follow the other recent thread entitled "Kerberos header 
passing issue".

It seems that you and the other OP can at least exchange some tips.

g f wrote:
> Hello all,
> This may be better suited to Apache users group but I will try here in case.
> 
> I am running tomcat 6.0.24 ,  jre 1.6.0_16, Apache/2.2.15 (Debian) ,
> mod_auth_kerb/5.4  , mod_jk/1.2.28 mod_python/3.3.1 all installed via apt on
> Debian Lenny.
> 
> I have successfully been able to get all of this working (authentication,
> forwarding etc).
> 
> I have a java web app that has a servlet that serves as a proxy to get
> around cross site scripting.
> http://myapp/Proxy?url=www.somesite.com
> 
> I let Apache and mod_auth_kerb handle all authentication and it does well.
> 
> If I access my Proxy servlet like so:
> 
> http://MY_DOMAIN.COM/my_proxy_app/Proxy?url=http://MY_DOMAIN.COM/index.html
> 
> (Notice I am proxying to the same domain but different application)
> 
> I get a 401 error.
> 
> Here is what the access log (for apache) looks like for this request.
> 10.150.15.116 - - [04/Jun/2010:18:06:55 +0000] "GET /index.html HTTP/1.1"
> 401 829 "-" "Java/1.6.0_16"
> 10.150.15.212 - gforte@MY_DOMAIN.COM [04/Jun/2010:18:06:54 +0000] "GET
> /my_proxy_app/Proxy?url=http://MY_DOMAIN.COM/index.html HTTP/1.1" 500 394
> "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3)
> Gecko/20100401 Firefox/3.6.3 ( .NET CLR 3.5.30729)"
> o
> 
> Now if you notice the request from ip address 212 is actually the browser
> request to the proxy.
> The request from ip address 216 is the request from tomcat (notice the
> Java/1.6.0_16).
> 
> So it appears that Apache sees this request from the jre and tries to
> authenticate against mod_auth_kerb and of course it fails.
> 
> Is it possible to force tomcat to pass on the credentials it receives from
> the initial request(browser) along to tomcats own request back to apache?
> 
> Hopefully this is somewhat clear?
> 
> Flow:
> Browser makes request to ----> http://MY_DOMAIN.COM/my_proxy_app/Proxy
> ----> mod_auth_kerb authenticates and then mod_jk realizes it is a java app
> so it hands off the request to tomcat
> ----> Proxy servlet runs on tomcat and makes a URL request to
> http://MY_DOMAIN.COM/index.html  ---> Apache attempts to authenticate this
> request but since it is coming from the jre it disallows this request.
> 
> Thanks in advance!
> GF
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message